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1 Executive Summary 


1.1 Background 

As part of the internal audit plan for 2015-16, it was agreed with the Audit 
Committee that we would undertake an internal audit of the [CO's staff 
recruitment arrangements. 


In 2014-15, the total number of FTE roles in the ICO was 383 (consisting 
of 353.5 FTE staff and 29.5 vacancies); in 2015-16 the number is forecast 
to be 415 FTE (363.7 STE staff and 51.3 vacancies). 


The recruitment of high quality staff is vital to the success of the ICO in 
delivering its objectives and providing an efficient and effective service to 
its customers and stakeholders. The staff cohort for the year is defined for 
each department by the Finance Team and Organisational Development 
based upon the ICO’s income expected from government grant funding, 
Data Protection and DRIPA (Data Retention and Investigatory Powers 
Act) fees. Vacancies are then identified by each department based upon 
their budgeted cohort and operational objectives. 


Following the development of the Finance Steering Group, a reporting 
framework is in place to monitor the performance of each department 
against the agreed budget and a defined process is in place for individual 
recruitment exercises to take place. 


The objective of our review was to establish how staffing requirements are 
determined, the process to identify candidates, the selection process, and 
the preparation for new starters and how that meets the ICO 
requirements. 
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1.2 Scope 
Our review involved an assessment of the following risks: 


e The ICO may not suitably evaluate and approve vacancies and 
associated job specifications prior to inviting applications, resulting in 
the operation of an inefficient and costly recruitment process; 

e Candidates may not be evaluated against the approved job 
specification and criteria and may not be subject to references, security 
and qualification checks as appropriate, resulting in a failure to 
demonstrate the appointment of the most suitable and qualified 
candidate for each role; 

e The ICO may not operate a robust approach to authorising all 
recruitment and appointments resulting in a failure to control staffing 
costs, advertising and recruitment charges; 

e The ICO may not provide appropriate support to managers involved 
in the recruitment process resulting in reputation damage and/or the 
recruitment of unsatisfactory applicants to vacancies through poorly 
delivered interviews and assessments; 

e The ICO may not adequately monitor its recruitment activities 
resulting in a failure to manage vacancies and appointments and the 
associated adverse impact on costs. 


Purther details on responsibilities, approach and scope are included in 
Appendix A. 
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1.3 Overall assessment 
We have made an overall assessment of our findings as: 


Overall assessment 


Following agreement of the nature and significance of individual issues 
with management, in our view this report contains matters which 
require the attention of management to resolve and report on progress 
in line with current follow up processes. 


Please refer to Appendix B for further information regarding our overall 
assessment and audit finding ratings. 


1.4 Key findings 
Risk / Process 
Evaluating and Approving Vacancies - 1 1 - 


Evaluation of Candidates - - 2 - 


Authorisation of Recruitment and 
Appointments 


Management Support - 1 1 1 
Monitoring Recruitment Activity - 1 1 1 
Total - 3 5 2 


The following findings are assessed as Medium: 


e The ICO does not currently have a recruitment, selection and 
retention strategy in place to support the corporate objective of 
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identification of a resource need through to induction and on- 

boarding, and the method by which it will be reported. 
The ICO provides each member of staff who is involved in shortlisting 
and interviewing candidates either with classroom training or one-to- 
one support in order to provide them with the skills necessary to 
effectively conduct the recruitment. Our review of the training packs 
noted that, while there is reference to scoring principles in the 
recruitment policy, there is no guidance for scoring candidates against 
prepared criteria or competencies. We would expect to find standard 
guidance to be in place to enable the objective assessment of 
candidates and for refresher training provided every 18 to 24 months 
to provide assurance that quality and consistency of the interview 
process is maintained between panel members; 
Information on headcount, vacancies and staffing budgets is provided 
to budget holders on a monthly basis and reporting on staff 
recruitment, turnover and retention is completed annually to the 
Leadership Committee and Management Board. None of the reports 
currently produced for these stakeholders contain any information on 
the performance and efficiency of the recruitment process nor do they 
monitor the recruitment pipeline. We would expect recruitment 
activity to be part of any regular management information, allowing 
vacancy advertising campaigns, the use of agencies and the end-to-end 
recruitment process to be assessed for effectiveness or value for 
money. 


‘delivering an efficient, effective service’. While the recruitment and 
selection policy and procedures provide details of the objectives of the 
recruitment process at a high level, we would expect Organisational 
Development to develop a clear roadmap that build on these and: 

— Outlines what is expected from the recruitment and selection 
process (for example improving the strength of the ICO through 
the addition of new skills and experience); and 

— Describes the method by which this will be achieved, the tools, 
applications and partners that will enable this from the initial 
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Further details of our findings and recommendations are provided in 
Section 2. 


1.5 Basis of preparation 
We identified the following controls in place during our audit: 


e The recruitment cohort is defined for the year ahead by management 
and then devolved to departments for the heads to monitor and 
control locally; 
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e Salary offers are pre-determined using entry rates to salary bands. 
Where market demands require that different rates are offered, these 
must be authorised by the Head of Organisational development and 
reported on an annual basis to the Remuneration Committee; 

e Recruitment training must have been completed before eligible to sit 
on an interview panel. 

e Security checks are performed before making an offer of employment 
unconditional. 


1.6 Elsewhere in the sector 

We detail below other ways of working and commonly occurring issues 
that we have experienced during similar types of reviews for other public 
bodies. The following does not necessarily purport to be good practice but 
is included for your information and consideration: 


e Other bodies will record and manage candidate details on a third party 
application or database. All tracking of references or security clearance 
for vacancies is therefore managed automatically. Information and 
reporting on areas such as the timeliness of communications, candidate 
assessment scoring, use of agents and cost per vacancy may then be 
produced automatically, rather than collated via spreadsheets: 

e To improve the efficiency of recruitment and selection, improve 
workforce diversity and reduce agency costs, during the application 
period, other companies will include an internal candidate search via 
social media platforms such as LinkedIn or professional portals such 
as Reed or Monster to identify available candidates that meet the 
vacanicy criteria. 


1.7 Acknowledgement 


We would like to take this opportunity to thank the staff involved for their 
co-operation during this internal audit. 
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2 Detailed Findings 
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The ICO may not suitably evaluate or approve vacancies and associated job specifications prior to inviting applications 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


The ICO has a Corporate Plan for the period 2015-18 that 
describes its goals, vision and mission and objectives. 
Underpinning each objective are a number of activities to be 
completed during the period. One of these enabling activities 
is to complete the development of a People Strategy to 
clarify the competitiveness of pay and grading at the ICO by 
2015, developing people for senior roles, identifying better 
ways of working and reviewing policies on recruitment and 
retention. 


Whilst the development of this Strategy is underway, plans 
to develop the recruitment and retention strand do not 
include the development of a recruitment strategy that builds 
upon the Recruitment and Selection policy and procedure 
clearly outlining how and when recruitment will take place. 


Without a clear strategy to drive recruitment action forward, 
there is a risk that the ICO may not operate an effective 
recruitment process, failing to engage with agents and 
partners, achieve best value for money and operate a fair 
and transparent selection process. 


To build on the objectives set out in the 
Recruitment and Selection Policy and 
Procedures, Organisational Development should 
develop and agree a recruitment strategy that 
describes: 

e The objectives of the recruitment and 
selection process (for example the need for 
new strategic skills or skills to enable the 
ICO to develop following the introduction of 
new legislation or operational requirements); 

e The structure of the Recruitment team and 
their respective responsibilities, and those of 
the recruiting department; 

e Supporting application systems and 
processes; 

e The recruitment channels and sourcing 
strategies that will be used to source 
candidates according to the needs of the 
ICO; 

e Shortlisting strategies; 

The assessment and selection framework 
and how it supports the ICO's recruitment 
requirements; 

e Effective on-boarding and induction; 
Tracking and engaging with leavers with a 
view to potential future re-engagement. 


The ICO will develop a People Strategy to set 
out the approach to managing, developing and 
supporting the organisations people. 


One strand of this will be the development of a 
Recruitment and Selection Strategy to elaborate 
on the details set out in the R&S Policy. 


This will also set out known recruitment plans for 
the coming period (12-18 months). 


Date Effective: 
People Strategy October 2015 
Recruitment Strategy March 2016 


Owner: Mike Collins 
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| Reviewing and authorising vacancies 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Vacancies are reviewed and authorised in two distinct ways: 

e For new vacancies within a department, a business case 
must be completed by the Head of Department, 
submitted and reviewed by the Executive Team and 
graded by the job grading panel before recruitment can 
commence; 

e For recruitment of replacement roles, the vacancy is 
reviewed by the Head of Organisational Development 
prior to recruitment taking place. 


As part of our review, we selected six separate posts for 
which a candidate had been successfully recruited. Whilst 
we confirmed that all had been reviewed and agreed by the 
relevant authoriser, our review of the process noted that: 


e For replacement roles, whilst the Head of Organisational 
Development reviews the current FTE budget, there is no 
evaluation as to whether the vacancy is still required by 
the department in which it has been identified, nor of 
whether the cost of the FTE could be better used in 
another area of the ICO; 

e Executive approval for roles takes place prior to the job 
being evaluated by the grading panel. Although the 
approximate grade of a role will already be known by the 
Executive, the body as a whole does not have a clear or 
accurate view of the total cost of a post prior to the role 
being agreed. 


Therefore, there is a risk that the ICO is evaluating FTE 
vacancies without all available operational information being 
provided prior to inviting applications, increasing operational 
costs and reducing overall departmental effectiveness. 


e In evaluating replacement posts, the Head 
of Department should complete and submit 
a business case that details the continued 
need for the post in their area to be 
considered as part of the sign off of the 
recruitment request by the Head of 
Organisational Development. 

e When submitting new posts for evaluation, a 
minimum, maximum and average wage 
band (and all other supporting costs) should 
be provided to the Executive Committee to 
enable them to make a fully informed 
decision as to the maximum potential cost of 
the new role. 


Staff Requisition forms to be updated to require 
Departmental Heads to elaborate on the need 
for a replacement post and confirm if alternative 
options were considered. 


A new procedure for the creation and 
implementation of new posts to be developed 
which incorporates the job grading process. This 
will require the provision of information about the 
cost of posts. 


Date Effective: March 2016 
Owner: Mike Collins and HR team. 


New process to be developed by Mike Collins and 
agreed with Job Grading panel and Leadership 
Group. 
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2.2 Candidates may not be evaluated against approved job criteria or subject to appropriate reference checks 


a| tw | Screening and pre-shortlisting 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


The ICO does not operate a screening process of 
applications prior to the review by panel members. 
Consequently the shortlisting process is very manually 
intensive as a member of the recruitment team must collate 
all applications received from a recruitment advert, remove 
all personal details from the electronic copy of the 
application form and print a physical copy for each member 
of the panel to review. 


In operating the shortlisting process in this manner, the ICO 
is not making the best use of its resource in terms of both 
the recruitment team performing the application 
administration and for panel members reviewing large 
numbers of applications for the shortlist. 


In order to reduce the number of candidates 
being passed to shortlisting, Organisation 
Development should implement a 'screening' 
step (for example, a set of online questions, a 
review against the criteria for the role, or a short 


candidate exercise) into the recruitment process. 


In addition, to improve the efficiency of the 
shortlisting process, the manner in which the 
shortlisting process operates should be 
reviewed. PDF documents should be used to 
remove candidates' personal information from 
experience and CV details and electronic 
storage and collation should be used rather than 
physical copies printed for each shortlisting 
panel member. 


Work with managers to develop a process for 
screening out obviously unsuitable applications 
before submission to shortlisting managers 
where there are high numbers of applications 
received. Amend R&S procedures accordingly. 


Date Effective: March 2016 


Owner: Mike Collins and HR team 
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Aa ow | Managing references and pre-employment checks 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Once a provisional job offer is made, the 'Right to Work' 
(RTW) spreadsheet, along with individual employee 
checklists, is used by the recruitment team to track 
applicants through the process of obtaining references and 
completing pre-employment criminal records and health 
checks. These documents also provide assurance that all 
documents required by the ICO have been verified before 
making an unconditional offer of employment. 


As part of our fieldwork, we reviewed a total of six applicant 
files to confirm that all required documentation had been 
received prior to an unconditional offer being made. Whilst 
we confirmed that in each instance, all information and 
checks were recorded within the applicant's physical file and 
on the employee checklist, the RTW spreadsheet was 
incomplete. 


In not maintaining complete information on each recruitment, 
there is a risk that either an offer may be made to a 
candidate without subject to references, security and 
qualification checks being made, or checks may be 
requested more than once impacting upon the effectiveness 
of the process. 


To provide assurance that each recruitment is 
proceeding in a timely manner, and all 
documentation has been requested (or 
received), the recruitment and selection team 
should complete each section of the 'Right to 
Work' spreadsheet once the relevant step has 
been concluded. 


Reminder for team to complete all aspects of the 
spreadsheet and management to complete 
periodic audits of them. 


Date Effective: September 2015 


Owner: Mike Collins 
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2.3 The ICO may not provide appropriate support to managers involved in the recruitment process 


5. | Medium | Interviewing training and guidance 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Recruitment and selection training takes the form of either a 
full day classroom session or a shorter personal one-to-one 
meeting between the trainer and the recruiting manager. 
These sessions are mandatory for all members of staff who 
may be involved in shortlisting and interviewing and covers 
elements such as how to shortlist and managing diversity. 


From our testing of applicant files, a total of fourteen 
separate individuals had been used to complete the 
interview panels, and we were able to confirm that all had 
either received formal training or a one to one session. 


As part of the recruitment and selection training or 
recruitment process advice, there is however no guidance to 
direct panel members in scoring candidates against the 
prepared criteria or competencies. 


There is a risk that the lack of transparent candidate scoring 
may result in the ICO being unable to objectively refute 
challenges from unsuccessful candidates who dispute the 
outcome of the selection process. 


One to one recruitment and selection training 
should include a specific section on 
competency-based interviewing, covering how 
candidate answers should be assessed and how 
scoring may be effectively supported by 
evidence should a review of interview notes or 
the selection process be required. 


One to one briefing sessions to include 
competency based interviews and guidance on 
assessing the quality of responses. 


Date Effective: September 2015 


Owner: Mike Collins, HR Team and L&D team 
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6. | Improvement _ Confirmation of successful training 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Once an individual has attended the recruitment and 
selection training, they can take part in the shortlisting and 
interviewing process. 


However, the one to one training sessions do not involve a 
test to confirm that the individual has gained the necessary 
interviewing skills and knowledge for the ICO to be 
comfortable that they can conduct interviews effectively. 


There is a risk that without assurance that the panel 
members have reached an acceptable level of competence 
in recruitment techniques, the interviews and selection 
panels may not be delivered effectively, resulting in 
reputational damage and/or the recruitment of unsatisfactory 
applicants to vacancies. 


To provide additional rigour to the recruitment 
training process, as part of each one to one 
training session, each individual should be 
formally assessed by the training provider who 
should confirm that they have reached an 
acceptable standard and have gained the 
necessary skills to conduct interviews 
effectively. 


One to one briefing sessions will give managers 
the opportunity to undertake a practice interview 
with the training provider or another individual 


Date Effective: September 2015 


Owner: Mike Collins, HR Team, L&D team 
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T| tow Refresher training 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Following initial recruitment and selection training, panel 
members are not invited to attend sessions to refresh skills 
or provide updates on the latest recruitment legislation. 


There is a risk that without up to date training covering the 
application of the latest legislation and the method by which 
the ICO undertakes candidate selection, interviews and 
selection panels may not be delivered effectively, resulting in 
reputational damage and/or the recruitment of unsatisfactory 
applicants to vacancies. 


Organisational Development should review the 
policy for recruitment and selection training with 
Learning and Development and develop a 
mandatory refresher training for all relevant 
personnel. Held upon the release of legislation 
that impacts upon recruitment, this training 
should provide all interviewers with the most 
recent legislation, as well as further developing 
interviewer skills. 


Places on recruitment training sessions to be 
available to experience recruiters. Managers to 
be updated with changes to law affecting 
recruitment. 


Annual and mandated refresher training for all 
managers involved in recruitment is unlikely to 
be a proportionate responses. HR team member 
involved in recruitment panels to remind 
selection panel of their obligations, processes 
and legal aspects to recruitment by way of a 
refresher. 


Date Effective: September 2015 


Owner: Mike Collins and HR team. 
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2.4 The ICO may not adequately monitor its recruitment activities 


1. Executive summary 


2. Detailed Findings 
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8. | Medium Management information development 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Information on headcount, vacancies and staffing budgets 
has been developed by Finance and is reported through the 
Finance Steering Group and budget holders on a monthly 
basis to allow them to monitor their real-time staff FTE count 
in line with their monthly salary budget vs expenditure. 


Reporting on staff recruitment, turnover and retention is 
completed annually to the Leadership Committee and 
Management Board by the Head of Organisational 
Development. 


Whilst the Recruitment and Selection team collect and retain 
data on the recruitment process, none of the reports 
currently produced for management stakeholders contain 
any information on the performance, efficiency and 
effectiveness of the recruitment process. There is also no 
formal reporting in place with regard to pipeline monitoring or 
benchmarking/review of each method of recruitment. 


Without this information, there is a risk that recruitment 
activities (for example use of agencies or advertising in 
recruitment) may not be operating effectively and resulting in 
an inefficient use of ICO resources. 


Using information that is already available or 
collated by the recruitment team, a recruitment 
and selection dashboard should be developed 
for reporting to the Leadership Committee and 
Management Board. 


This dashboard should contain additional 
information on: 


e The number of open vacancies, number 
advertised/under way, number filled to 
date/during the year; 

HR advisor workload (staff utilisation); 

e Reporting on the recruitment cycle (average 
time for each stage of a recruitment to 
complete, from date of advert to shortlisting, 
interview completion, offer made/accepted 
and post filled); 

e Average cost per recruitment (divided into 
internal recruitments, external recruitments 
and agency referrals). 


Information to be collated for management 
board and for Leadership Group to be provided 
each quarter. 


Date Effective: October 2015 (next Management 
Board) 


Owner: Mike Collins and HR team 
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a | low Monitoring retention and recruitment ‘lessons learned' 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


All leavers from the ICO are interviewed as part of the exit 
process. Reasons for leaving are noted and collated to 
identify possible trends. This information, together with the 
retention and attrition data, is collated and reported annually 
to the Management Board and Leadership Committee by the 
Head of Organisational Development as part of the 
Organisational Development dashboard. 


Of the 39 staff that left in 2014/15, 4 left in the first year of 
service, with 2 of these due to probation failures. Whilst the 
ICO does collate reasons for leaving, it is not fed into a 
recruitment ‘lessons learned' to inform hiring managers and 
the training provided in order to improve future staff 
recruitment. 


In not considering information on unsuitable candidates or 
those that stay under a year as a formal part of the 
recruitment process, there is a risk that opportunities to 
improve the recruitment process or the interviewing skills of 
individual managers may be missed. The ICO may continue 
to be employ unsuitable candidates, ultimately increasing 
recruitment costs and affecting the service provided to ICO 
customers. 


As part of the monitoring of retention rates, 
Organisational Development should review each 
leaver who completes less than one year of 
service. This review should make reference to 
the recruitment and selection process that 
resulted in their appointment, including an 
objective assessment of individual recruiting 
managers to understand whether there may be 
a need to provide additional training to 
individuals. Any lessons that may be gained 
from this review should then be fed back to 
interviewing managers and incorporated into the 
recruitment and selection training. 


Feedback to be obtained from recruiting 
managers and the team managers to gauge the 
effectiveness of those recruited. 


Reported back to recruiting panels for 
consideration in future exercises. 


Date Effective: December 2015 


Owner: Mike Collins and HR team 
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10. 


Recruitment satisfaction surveys 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Following an offer being accepted by a candidate, the 
recruitment team do not approach individuals (either 
successful or unsuccessful) for feedback on the recruitment 
methods applied. No independent assurance is therefore 
gained by the team that the process meets the expectations 
and needs of those that are applying (for example, 
application turnaround times, communication, arranging 
interviews or assessment completion). 


Without regular feedback of the process from those directly 
involved, there is a risk that the process may not be 
engaging and may discourage the most suitable and 
qualified applicants, ultimately resulting in the ICO not 
appointing the best person for each role. 


The recruitment and selection team should 
develop a ‘customer satisfaction’ survey that 
requests candidate feedback on areas such as 
timeliness and effectiveness of communication 
and the interview process. 


Upon completion of a recruitment cycle, this 
survey should be sent to the successful 
candidate and if appropriate a sample of 
candidates that also attended the interview 
process. 


Survey results should then be collated by the 
recruitment team and reported as part of the 
‘recruitment dashboard’ with any areas noted as 
requiring improvement flagged for action. 


We will explore this as part of our review of the 
recruitment process as a whole. 


Date Effective: March 2016 


Owner: Mike Collins 
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A Internal audit approach 


Approach 

Our role as internal auditor to a Public Body is to provide an independent 
and objective opinion to the Accounting Officer on risk management, 
control and governance processes, by measuring and evaluating their 
effectiveness in achieving the organisation's agreed strategic objectives. 


Our audit was carried out in accordance with the guidance contained 
within the Government’s Internal Audit Standards (2013) and the Auditing 
Practices Board’s “Guidance for Internal Auditors’. We also had regard to 
the Institute of Internal Auditors’ guidance on risk based internal auditing 
(2005). In addition, we comply in all material respects with other 
Government guidance applicable to Public Bodies and have had regard to 
the HM Treasury guidelines on effective risk management (the ‘Orange 
Book’). 


As part of the internal audit plan for 2015-16, we agreed with the Audit 
Committee and management that we should carry out a review of the 
ICO's staff recruitment arrangements, to further inform our on-going 
understanding of the ICO’s key internal control activities. 


Our aim in completing this audit was to ensure that the ICO has 
appropriate arrangements in place to identify, manage and report on risk. 
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We achieved our audit objectives by: 


e meeting with key staff to gain an understanding of the arrangements in 
place to manage the recruitment process and measure performance 
and quality of delivery of recruitment services to the ICO; 

e identifying the key risks to these arrangements and evaluating the 
management controls that mitigate these risks; and 

e reviewing key documents that support the above processes. 


The findings and conclusions from this review will support our annual 
opinion to the Audit Committee on the adequacy and effectiveness of 
internal control arrangements. 


Responsibilities 

The Information Commissioner acts through his Board of Management 
and the Information Commissioner's Office ("ICO") discharges his 
obligations. Therefore references to the Information Commissioner and 
the ICO in this report relate to one and the same party. 


It is the responsibility of the Information Commissioner to ensure that the 
ICO has adequate and effective risk management, control and governance 
processes. 


HM Treasury's Corporate Governance in Central Government 
Departments (2011) states that boards of Public Bodies should determine 
the nature and extent of the significant risks it is willing to take in 
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achieving its strategic objectives. The Board should therefore maintain 
sound risk management and internal control systems and should establish 
formal and transparent arrangements for considering how they should 
apply the corporate reporting and risk management and internal control 
principles and for maintaining an appropriate relationship with the 
organisation's auditors. 


Please refer to our letter of engagement for full details of responsibilities 
and other terms and conditions. 


Scope 
Our review involved an assessment of the following risks: 


e The ICO may not suitably evaluate and approve vacancies and 
associated job specifications prior to inviting applications; 

e Candidates may not be evaluated against the approved job 
specification and criteria and may not be subject to references, security 
and qualification checks as appropriate; 


e The ICO may not operate a robust approach to authorising all 
recruitment and appointments; 

e The ICO may not provide appropriate support to managers involved 
in the recruitment process; 

e The ICO may not adequately monitor its recruitment activities. 


Additional information 
Client staff 
The following staff were consulted as part of this review: 


e = Michael Collins — Head of Organisational Development 
e Stephen Eckersley — Head of Enforcement 

e Katy Hulme — HR Manager 

e Sally Gozem — HR Assistant 
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Documents received 
The following documents were received during the course of this audit: 


e Employee Personnel File Checklist 

e New Vacancy Checklist 

e Log of SR1 Forms & Resignations 2015-04 to 2016-03 

e Right to work — Clearance Spreadsheet 

e Recruitment EOM Analysis by campaign 2014-15 

e Notes for shortlisting panel 

e Candidate spreadsheet — Senior Policy Officer SL — May 15 
e Finance Steering Group Agenda, Friday 12 June 

e Finance Steering Group Agenda, Thursday 9 July 

e Management Report, Human Resources 

e ICO Recruitment & Selection Training Notes 

e ICO Recruitment & Selection Training Agenda, Thursday 9 July 


Locations 
We visited The Information Commissioner's Office, Wilmslow for this 
review. 
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B Definition of overall assessment internal audit ratings 


Overall assessment 


Rating Description 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which should be 
raised with Senior Management and the Audit Committee at the earliest opportunity. 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which require the 
attention of management to resolve and report on progress in line with current follow up processes. 


We have identified matters which, if resolved, will help management fulfil their responsibility to maintain a robust system of internal control. 


Audit issue rating 
Within each report, every audit issue is given a rating. This is summarised in the table below. 


Rating Description Features 
Findings that are fundamental to the management of risk in the business : em ito tae operating effectively 
area, representing a weakness in control that requires the immediate A : 
attention of management e Non compliance with key procedures / standards 
e Non compliance with regulation 
e —_ Impact is contained within the department and compensating 
controls would detect errors 
MER : e Possibility for fraud exists 
Important findings that are to be resolved by line management. e Control failures identified but not in key controls 
e Non-compliance with procedures / standards (but not resulting in key 
control failure) 
ee as : : ' A F e Minor control weakness 
Findings that identify non-compliance with established procedures. e Minor non compliance with procedures / standards 
Items requiring no action but which may be of interest to management or e Infomation for department management : 
best practice advice ° eea operating but not necessarily in accordance with best 
practice 
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Grant Thornton 


An instinct for growth: 
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“Grant Thornton” refers to the brand under which the Grant Thornton member firms 
provide assurance, tax and advisory services to their clients and/or refers to one or more 
member firms, as the context requires. 


Grant Thornton UK LLP is a member firm of Grant Thornton International Ltd (GTIL). 
GTIL and the member firms are not a worldwide partnership. GTIL and each member firm is 
a separate legal entity. Services are delivered by the member firms. GTIL does not provide 
services to clients. GTIL and its member firms are not agents of, and do not obligate, one 
another and are not liable for one anothet’s acts or omissions. 


grant-thornton.co.uk 


